If you’re on OS X or a reasonably friendly Linux box, you should get a native OS dialog asking you for the passphrase you just put on your private key. Enter it, and you should be golden. If you’re on another OS that doesn’t provide an automated agent, you probably want to look at this for more info.

Note that you can now make onward connections from the remote machine without being prompted to authenticate again. Magic!

Proxying connections through a bastion host

This is crazy useful for maintaining a cluster of machines without having to expose their SSH servers to the internet. All you need to keep open is ssh on your bastion host and you have access to anything on the internal machines nearly automatically. Here goes:

Let’s say you have an internal network of machines in a .internal domain (maebe.internal, gob.internal, etc). Assuming you already have SSH access to these machines as detailed in the previous section, you can simply add something like this to your ~/.ssh/config file:

Host *.internal
ProxyCommand ssh <bastion_host> nc %h %p

and you’ll magically be able to run ssh commands like the following:

ssh maebe.internal

What??? How does my machine know to resolve maebe.internal from anywhere on the internet, you ask? What’s happening here is that SSH is applying the config for *.internal to your connection request, and running the request through ProxyCommand. As such, your destination hostname actually gets looked up in the DNS context of the bastion host, which (presumably) knows how to resolve maebe.internal. Once again, Magic!